# This file is dual licensed under the terms of the Apache License, Version # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. from __future__ import absolute_import, division, print_function import binascii import datetime import ipaddress import os from pyasn1.codec.der import decoder from pyasn1_modules import rfc2459 import pytest import six from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends.interfaces import ( DSABackend, EllipticCurveBackend, RSABackend, X509Backend ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature ) from cryptography.x509.oid import ( AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID ) from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from .hazmat.primitives.test_ec import _skip_curve_unsupported from .utils import load_vectors_from_file @utils.register_interface(x509.ExtensionType) class DummyExtension(object): oid = x509.ObjectIdentifier("1.2.3.4") @utils.register_interface(x509.GeneralName) class FakeGeneralName(object): def __init__(self, value): self._value = value value = utils.read_only_property("_value") def _load_cert(filename, loader, backend): cert = load_vectors_from_file( filename=filename, loader=lambda pemfile: loader(pemfile.read(), backend), mode="rb" ) return cert @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateRevocationList(object): def test_load_pem_crl(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend ) assert isinstance(crl, x509.CertificateRevocationList) fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef" assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) def test_load_der_crl(self, backend): crl = _load_cert( os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), x509.load_der_x509_crl, backend ) assert isinstance(crl, x509.CertificateRevocationList) fingerprint = binascii.hexlify(crl.fingerprint(hashes.SHA1())) assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad" assert isinstance(crl.signature_hash_algorithm, hashes.SHA256) def test_invalid_pem(self, backend): with pytest.raises(ValueError): x509.load_pem_x509_crl(b"notacrl", backend) def test_invalid_der(self, backend): with pytest.raises(ValueError): x509.load_der_x509_crl(b"notacrl", backend) def test_unknown_signature_algorithm(self, backend): crl = _load_cert( os.path.join( "x509", "custom", "crl_md2_unknown_crit_entry_ext.pem" ), x509.load_pem_x509_crl, backend ) with pytest.raises(UnsupportedAlgorithm): crl.signature_hash_algorithm() def test_issuer(self, backend): crl = _load_cert( os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), x509.load_der_x509_crl, backend ) assert isinstance(crl.issuer, x509.Name) assert list(crl.issuer) == [ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), x509.NameAttribute( x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' ), x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') ] assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') ] def test_equality(self, backend): crl1 = _load_cert( os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), x509.load_der_x509_crl, backend ) crl2 = _load_cert( os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), x509.load_der_x509_crl, backend ) crl3 = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend ) assert crl1 == crl2 assert crl1 != crl3 assert crl1 != object() def test_update_dates(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend ) assert isinstance(crl.next_update, datetime.datetime) assert isinstance(crl.last_update, datetime.datetime) assert crl.next_update.isoformat() == "2016-01-01T00:00:00" assert crl.last_update.isoformat() == "2015-01-01T00:00:00" def test_revoked_cert_retrieval(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend ) for r in crl: assert isinstance(r, x509.RevokedCertificate) # Check that len() works for CRLs. assert len(crl) == 12 def test_revoked_cert_retrieval_retain_only_revoked(self, backend): """ This test attempts to trigger the crash condition described in https://github.com/pyca/cryptography/issues/2557 PyPy does gc at its own pace, so it will only be reliable on CPython. """ revoked = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend )[11] assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) assert revoked.serial_number == 11 def test_extensions(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_ian_aia_aki.pem"), x509.load_pem_x509_crl, backend ) crl_number = crl.extensions.get_extension_for_oid( ExtensionOID.CRL_NUMBER ) aki = crl.extensions.get_extension_for_class( x509.AuthorityKeyIdentifier ) aia = crl.extensions.get_extension_for_class( x509.AuthorityInformationAccess ) ian = crl.extensions.get_extension_for_class( x509.IssuerAlternativeName ) assert crl_number.value == x509.CRLNumber(1) assert crl_number.critical is False assert aki.value == x509.AuthorityKeyIdentifier( key_identifier=( b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX' ), authority_cert_issuer=None, authority_cert_serial_number=None ) assert aia.value == x509.AuthorityInformationAccess([ x509.AccessDescription( AuthorityInformationAccessOID.CA_ISSUERS, x509.DNSName(u"cryptography.io") ) ]) assert ian.value == x509.IssuerAlternativeName([ x509.UniformResourceIdentifier(u"https://cryptography.io"), ]) def test_signature(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend ) assert crl.signature == binascii.unhexlify( b"536a5a0794f68267361e7bc2f19167a3e667a2ab141535616855d8deb2ba1af" b"9fd4546b1fe76b454eb436af7b28229fedff4634dfc9dd92254266219ae0ea8" b"75d9ff972e9a2da23d5945f073da18c50a4265bfed9ca16586347800ef49dd1" b"6856d7265f4f3c498a57f04dc04404e2bd2e2ada1f5697057aacef779a18371" b"c621edc9a5c2b8ec1716e8fa22feeb7fcec0ce9156c8d344aa6ae8d1a5d99d0" b"9386df36307df3b63c83908f4a61a0ff604c1e292ad63b349d1082ddd7ae1b7" b"c178bba995523ec6999310c54da5706549797bfb1230f5593ba7b4353dade4f" b"d2be13a57580a6eb20b5c4083f000abac3bf32cd8b75f23e4c8f4b3a79e1e2d" b"58a472b0" ) def test_tbs_certlist_bytes(self, backend): crl = _load_cert( os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"), x509.load_der_x509_crl, backend ) ca_cert = _load_cert( os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), x509.load_der_x509_certificate, backend ) verifier = ca_cert.public_key().verifier( crl.signature, padding.PKCS1v15(), crl.signature_hash_algorithm ) verifier.update(crl.tbs_certlist_bytes) verifier.verify() def test_public_bytes_pem(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_empty.pem"), x509.load_pem_x509_crl, backend ) # Encode it to PEM and load it back. crl = x509.load_pem_x509_crl(crl.public_bytes( encoding=serialization.Encoding.PEM, ), backend) assert len(crl) == 0 assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47) assert crl.next_update == datetime.datetime(2015, 12, 28
/* Copyright 2017 Joseph Wasson
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
#include "process_steno.h"
#include "quantum_keycodes.h"
#include "eeprom.h"
#include "keymap_steno.h"
#include "virtser.h"
#include <string.h>

// TxBolt Codes
#define TXB_NUL 0
#define TXB_S_L 0b00000001
#define TXB_T_L 0b00000010
#define TXB_K_L 0b00000100
#define TXB_P_L 0b00001000
#define TXB_W_L 0b00010000
#define TXB_H_L 0b00100000
#define TXB_R_L 0b01000001
#define TXB_A_L 0b01000010
#define TXB_O_L 0b01000100
#define TXB_STR 0b01001000
#define TXB_E_R 0b01010000
#define TXB_U_R 0b01100000
#define TXB_F_R 0b10000001
#define TXB_R_R 0b10000010
#define TXB_P_R 0b10000100
#define TXB_B_R 0b10001000
#define TXB_L_R 0b10010000
#define TXB_G_R 0b10100000
#define TXB_T_R 0b11000001
#define TXB_S_R 0b11000010
#define TXB_D_R 0b11000100
#define TXB_Z_R 0b11001000
#define TXB_NUM 0b11010000

#define TXB_GRP0 0b00000000
#define TXB_GRP1 0b01000000
#define TXB_GRP2 0b10000000
#define TXB_GRP3 0b11000000
#define TXB_GRPMASK 0b11000000

#define TXB_GET_GROUP(code) ((code & TXB_GRPMASK) >> 6)

#define BOLT_STATE_SIZE 4
#define GEMINI_STATE_SIZE 6
#define MAX_STATE_SIZE GEMINI_STATE_SIZE

static uint8_t      state[MAX_STATE_SIZE] = {0};
static uint8_t      chord[MAX_STATE_SIZE] = {0};
static int8_t       pressed               = 0;
static steno_mode_t mode;

static const uint8_t boltmap[64] PROGMEM = {TXB_NUL, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_S_L, TXB_S_L, TXB_T_L, TXB_K_L, TXB_P_L, TXB_W_L, TXB_H_L, TXB_R_L, TXB_A_L, TXB_O_L, TXB_STR, TXB_STR, TXB_NUL, TXB_NUL, TXB_NUL, TXB_STR, TXB_STR, TXB_E_R, TXB_U_R, TXB_F_R, TXB_R_R, TXB_P_R, TXB_B_R, TXB_L_R, TXB_G_R, TXB_T_R, TXB_S_R, TXB_D_R, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_NUM, TXB_Z_R};

static void steno_clear_state(void) {
    memset(state, 0, sizeof(state));
    memset(chord, 0, sizeof(chord));
}

static void send_steno_state(uint8_t size, bool send_empty) {
    for (uint8_t i = 0; i < size; ++i) {
        if (chord[i] || send_empty) {
            virtser_send(chord[i]);
        }
    }
}

void steno_init() {
    if (!eeconfig_is_enabled()) {
        eeconfig_init();
    }
    mode = eeprom_read_byte(EECONFIG_STENOMODE);
}

void steno_set_mode(steno_mode_t new_mode) {
    steno_clear_state();
    mode = new_mode;
    eeprom_update_byte(EECONFIG_STENOMODE, mode);
}

/* override to intercept chords right before they get sent.
 * return zero to suppress normal sending behavior.
 */
__attribute__((weak)) bool send_steno_chord_user(steno_mode_t mode, uint8_t chord[6]) { return true; }

__attribute__((weak)) bool postprocess_steno_user(uint16_t keycode, keyrecord_t *record, steno_mode_t mode, uint8_t chord[6], int8_t pressed) { return true; }

__attribute__((weak)) bool process_steno_user(uint16_t keycode, keyrecord_t *record) { return true; }

static void send_steno_chord(void) {
    if (send_steno_chord_user(mode, chord)) {
        switch (mode) {
            case STENO_MODE_BOLT:
                send_steno_state(BOLT_STATE_SIZE, false);
                virtser_send(0);  // terminating byte
                break;
            case STENO_MODE_GEMINI:
                chord[0] |= 0x80;  // Indicate start of packet
                send_steno_state(GEMINI_STATE_SIZE, true);
                break;
        }
    }
    steno_clear_state();
}

uint8_t *steno_get_state(void) { return &state[0]; }

uint8_t *steno_get_chord(void) { return &chord[0]; }

static bool update_state_bolt(uint8_t key, bool press) {
    uint8_t boltcode = pgm_read_byte(boltmap + key);
    if (press) {
        state[TXB_GET_GROUP(boltcode)] |= boltcode;
        chord[TXB_GET_GROUP(boltcode)] |= boltcode;
    } else {
        state[TXB_GET_GROUP(boltcode)] &= ~boltcode;
    }
    return false;
}

static bool update_state_gemini(uint8_t key, bool press) {
    int     idx = key / 7;
    uint8_t bit = 1 << (6 - (key % 7));
    if (press) {
        state[idx] |= bit;
        chord[idx] |= bit;
    } else {
        state[idx] &= ~bit;
    }
    return false;
}

bool process_steno(uint16_t keycode, keyrecord_t *record) {
    switch (keycode) {
        case QK_STENO_BOLT:
            if (!process_steno_user(keycode, record)) {
                return false;
            }
            if (IS_PRESSED(record->event)) {
                steno_set_mode(STENO_MODE_BOLT);
            }
            return false;

        case QK_STENO_GEMINI:
            if (!process_steno_user(keycode, record)) {
                return false;
            }
            if (IS_PRESSED(record->event)) {
                steno_set_mode(STENO_MODE_GEMINI);
            }
            return false;

        case STN__MIN ... STN__MAX:
            if (!process_steno_user(keycode, record)) {
                return false;
            }
            switch (mode) {
                case STENO_MODE_BOLT:
                    update_state_bolt(keycode - QK_STENO, IS_PRESSED(record->event));
                    break;
                case STENO_MODE_GEMINI:
                    update_state_gemini(keycode - QK_STENO, IS_PRESSED(record->event));
                    break;
            }
            // allow postprocessing hooks
            if (postprocess_steno_user(keycode, record, mode, chord, pressed)) {
                if (IS_PRESSED(record->event)) {
                    ++pressed;
                } else {
                    --pressed;
                    if (pressed <= 0) {
                        pressed = 0;
                        send_steno_chord();
                    }
                }
            }
            return false;
    }
    return true;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-29 05:47:53 +0000
TE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] extensions = request.extensions assert isinstance(extensions, x509.Extensions) assert list(extensions) == [] @pytest.mark.parametrize( "loader_func", [x509.load_pem_x509_csr, x509.load_der_x509_csr] ) def test_invalid_certificate_request(self, loader_func, backend): with pytest.raises(ValueError): loader_func(b"notacsr", backend) def test_unsupported_signature_hash_algorithm_request(self, backend): request = _load_cert( os.path.join("x509", "requests", "rsa_md4.pem"), x509.load_pem_x509_csr, backend ) with pytest.raises(UnsupportedAlgorithm): request.signature_hash_algorithm def test_duplicate_extension(self, backend): request = _load_cert( os.path.join( "x509", "requests", "two_basic_constraints.pem" ), x509.load_pem_x509_csr, backend ) with pytest.raises(x509.DuplicateExtension) as exc: request.extensions assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): request = _load_cert( os.path.join( "x509", "requests", "unsupported_extension_critical.pem" ), x509.load_pem_x509_csr, backend ) with pytest.raises(x509.UnsupportedExtension) as exc: request.extensions assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4') def test_unsupported_extension(self, backend): request = _load_cert( os.path.join( "x509", "requests", "unsupported_extension.pem" ), x509.load_pem_x509_csr, backend ) extensions = request.extensions assert len(extensions) == 1 assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4") assert extensions[0].value == x509.UnrecognizedExtension( x509.ObjectIdentifier("1.2.3.4"), b"value" ) def test_request_basic_constraints(self, backend): request = _load_cert( os.path.join( "x509", "requests", "basic_constraints.pem" ), x509.load_pem_x509_csr, backend ) extensions = request.extensions assert isinstance(extensions, x509.Extensions) assert list(extensions) == [ x509.Extension( ExtensionOID.BASIC_CONSTRAINTS, True, x509.BasicConstraints(ca=True, path_length=1), ), ] def test_subject_alt_name(self, backend): request = _load_cert( os.path.join("x509", "requests", "san_rsa_sha1.pem"), x509.load_pem_x509_csr, backend, ) ext = request.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [ x509.DNSName(u"cryptography.io"), x509.DNSName(u"sub.cryptography.io"), ] def test_public_bytes_pem(self, backend): # Load an existing CSR. request = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) # Encode it to PEM and load it back. request = x509.load_pem_x509_csr(request.public_bytes( encoding=serialization.Encoding.PEM, ), backend) # We should recover what we had to start with. assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] def test_public_bytes_der(self, backend): # Load an existing CSR. request = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) # Encode it to DER and load it back. request = x509.load_der_x509_csr(request.public_bytes( encoding=serialization.Encoding.DER, ), backend) # We should recover what we had to start with. assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] def test_signature(self, backend): request = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request.signature == binascii.unhexlify( b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1" b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d" b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80" b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e" b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f" b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41" b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862" b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b" ) def test_tbs_certrequest_bytes(self, backend): request = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request.tbs_certrequest_bytes == binascii.unhexlify( b"308201840201003057310b3009060355040613025553310e300c060355040813" b"055465786173310f300d0603550407130641757374696e310d300b060355040a" b"130450794341311830160603550403130f63727970746f6772617068792e696f" b"30820122300d06092a864886f70d01010105000382010f003082010a02820101" b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d" b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7" b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22" b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a" b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a" b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d" b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7" b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964" b"a30203010001a000" ) verifier = request.public_key().verifier( request.signature, padding.PKCS1v15(), request.signature_hash_algorithm ) verifier.update(request.tbs_certrequest_bytes) verifier.verify() def test_public_bytes_invalid_encoding(self, backend): request = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) with pytest.raises(TypeError): request.public_bytes('NotAnEncoding') @pytest.mark.parametrize( ("request_path", "loader_func", "encoding"), [ ( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, serialization.Encoding.PEM, ), ( os.path.join("x509", "requests", "rsa_sha1.der"), x509.load_der_x509_csr, serialization.Encoding.DER, ), ] ) def test_public_bytes_match(self, request_path, loader_func, encoding, backend): request_bytes = load_vectors_from_file( request_path, lambda pemfile: pemfile.read(), mode="rb" ) request = loader_func(request_bytes, backend) serialized = request.public_bytes(encoding) assert serialized == request_bytes def test_eq(self, backend): request1 = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) request2 = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request1 == request2 def test_ne(self, backend): request1 = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) request2 = _load_cert( os.path.join("x509", "requests", "san_rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request1 != request2 assert request1 != object() def test_hash(self, backend): request1 = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) request2 = _load_cert( os.path.join("x509", "requests", "rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) request3 = _load_cert( os.path.join("x509", "requests", "san_rsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert hash(request1) == hash(request2) assert hash(request1) != hash(request3) def test_build_cert(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) assert cert.version is x509.Version.v3 assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), ] def test_build_cert_printable_string_country_name(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).public_key( subject_private_key.public_key() ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) parsed, _ = decoder.decode( cert.public_bytes(serialization.Encoding.DER), asn1Spec=rfc2459.Certificate() ) tbs_cert = parsed.getComponentByName('tbsCertificate') subject = tbs_cert.getComponentByName('subject') issuer = tbs_cert.getComponentByName('issuer') # \x13 is printable string. The first byte of the value of the # node corresponds to the ASN.1 string type. assert subject[0][0][0][1][0] == b"\x13"[0] assert issuer[0][0][0][1][0] == b"\x13"[0] class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_checks_for_unsupported_extensions(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( private_key.public_key() ).serial_number( 777 ).not_valid_before( datetime.datetime(1999, 1, 1) ).not_valid_after( datetime.datetime(2020, 1, 1) ).add_extension( DummyExtension(), False ) with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA1(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_encode_nonstandard_aia(self, backend): private_key = RSA_KEY_2048.private_key(backend) aia = x509.AuthorityInformationAccess([ x509.AccessDescription( x509.ObjectIdentifier("2.999.7"), x509.UniformResourceIdentifier(u"http://example.com") ), ]) builder = x509.CertificateBuilder().subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( private_key.public_key() ).serial_number( 777 ).not_valid_before( datetime.datetime(1999, 1, 1) ).not_valid_after( datetime.datetime(2020, 1, 1) ).add_extension( aia, False ) builder.sign(private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_subject_name(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_issuer_name(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 777 ).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_public_key(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_not_valid_before(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_not_valid_after(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_serial_number(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) with pytest.raises(ValueError): builder.sign(subject_private_key, hashes.SHA256(), backend) def test_issuer_name_must_be_a_name_type(self): builder = x509.CertificateBuilder() with pytest.raises(TypeError): builder.issuer_name("subject") with pytest.raises(TypeError): builder.issuer_name(object) def test_issuer_name_may_only_be_set_once(self): name = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) builder = x509.CertificateBuilder().issuer_name(name) with pytest.raises(ValueError): builder.issuer_name(name) def test_subject_name_must_be_a_name_type(self): builder = x509.CertificateBuilder() with pytest.raises(TypeError): builder.subject_name("subject") with pytest.raises(TypeError): builder.subject_name(object) def test_subject_name_may_only_be_set_once(self): name = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) builder = x509.CertificateBuilder().subject_name(name) with pytest.raises(ValueError): builder.subject_name(name) def test_not_valid_before_after_not_valid_after(self): builder = x509.CertificateBuilder() builder = builder.not_valid_after( datetime.datetime(2002, 1, 1, 12, 1) ) with pytest.raises(ValueError): builder.not_valid_before( datetime.datetime(2003, 1, 1, 12, 1) ) def test_not_valid_after_before_not_valid_before(self): builder = x509.CertificateBuilder() builder = builder.not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ) with pytest.raises(ValueError): builder.not_valid_after( datetime.datetime(2001, 1, 1, 12, 1) ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_public_key_must_be_public_key(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() with pytest.raises(TypeError): builder.public_key(private_key) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_public_key_may_only_be_set_once(self, backend): private_key = RSA_KEY_2048.private_key(backend) public_key = private_key.public_key() builder = x509.CertificateBuilder().public_key(public_key) with pytest.raises(ValueError): builder.public_key(public_key) def test_serial_number_must_be_an_integer_type(self): with pytest.raises(TypeError): x509.CertificateBuilder().serial_number(10.0) def test_serial_number_must_be_non_negative(self): with pytest.raises(ValueError): x509.CertificateBuilder().serial_number(-10) def test_serial_number_must_be_less_than_160_bits_long(self): with pytest.raises(ValueError): # 2 raised to the 160th power is actually 161 bits x509.CertificateBuilder().serial_number(2 ** 160) def test_serial_number_may_only_be_set_once(self): builder = x509.CertificateBuilder().serial_number(10) with pytest.raises(ValueError): builder.serial_number(20) def test_invalid_not_valid_after(self): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_after(104204304504) with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_after(datetime.time()) with pytest.raises(ValueError): x509.CertificateBuilder().not_valid_after( datetime.datetime(1960, 8, 10) ) def test_not_valid_after_may_only_be_set_once(self): builder = x509.CertificateBuilder().not_valid_after( datetime.datetime.now() ) with pytest.raises(ValueError): builder.not_valid_after( datetime.datetime.now() ) def test_invalid_not_valid_before(self): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_before(104204304504) with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_before(datetime.time()) with pytest.raises(ValueError): x509.CertificateBuilder().not_valid_before( datetime.datetime(1960, 8, 10) ) def test_not_valid_before_may_only_be_set_once(self): builder = x509.CertificateBuilder().not_valid_before( datetime.datetime.now() ) with pytest.raises(ValueError): builder.not_valid_before( datetime.datetime.now() ) def test_add_extension_checks_for_duplicates(self): builder = x509.CertificateBuilder().add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ) with pytest.raises(ValueError): builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ) def test_add_invalid_extension_type(self): builder = x509.CertificateBuilder() with pytest.raises(TypeError): builder.add_extension(object(), False) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_sign_with_unsupported_hash(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() builder = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).serial_number( 1 ).public_key( private_key.public_key() ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2032, 1, 1, 12, 1) ) with pytest.raises(TypeError): builder.sign(private_key, object(), backend) @pytest.mark.parametrize( "cdp", [ x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=None, relative_name=x509.Name([ x509.NameAttribute( NameOID.COMMON_NAME, u"indirect CRL for indirectCRL CA3" ), ]), reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( NameOID.ORGANIZATION_NAME, u"Test Certificates 2011" ), x509.NameAttribute( NameOID.ORGANIZATIONAL_UNIT_NAME, u"indirectCRL CA3 cRLIssuer" ), ]) )], ) ]), x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[x509.DirectoryName( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), ]) )], relative_name=None, reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute( NameOID.ORGANIZATION_NAME, u"cryptography Testing" ), ]) )], ) ]), x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[ x509.UniformResourceIdentifier( u"http://myhost.com/myca.crl" ), x509.UniformResourceIdentifier( u"http://backup.myhost.com/myca.crl" ) ], relative_name=None, reasons=frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise ]), crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], ) ]), x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[x509.UniformResourceIdentifier( u"http://domain.com/some.crl" )], relative_name=None, reasons=frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, x509.ReasonFlags.affiliation_changed, x509.ReasonFlags.superseded, x509.ReasonFlags.privilege_withdrawn, x509.ReasonFlags.cessation_of_operation, x509.ReasonFlags.aa_compromise, x509.ReasonFlags.certificate_hold, ]), crl_issuer=None ) ]), x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=None, relative_name=None, reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute( NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], ) ]), x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[x509.UniformResourceIdentifier( u"http://domain.com/some.crl" )], relative_name=None, reasons=frozenset([x509.ReasonFlags.aa_compromise]), crl_issuer=None ) ]) ] ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_crl_distribution_points(self, backend, cdp): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().serial_number( 4444444 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ])).public_key( subject_private_key.public_key() ).add_extension( cdp, critical=False, ).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( datetime.datetime(2030, 12, 31, 8, 30) ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.CRL_DISTRIBUTION_POINTS ) assert ext.critical is False assert ext.value == cdp @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_dsa_private_key(self, backend): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") issuer_private_key = DSA_KEY_2048.private_key(backend) subject_private_key = DSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) assert cert.version is x509.Version.v3 assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_ec_private_key(self, backend): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") _skip_curve_unsupported(backend, ec.SECP256R1()) issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) assert cert.version is x509.Version.v3 assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_rsa_key_too_small(self, backend): issuer_private_key = RSA_KEY_512.private_key(backend) subject_private_key = RSA_KEY_512.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) with pytest.raises(ValueError): builder.sign(issuer_private_key, hashes.SHA512(), backend) @pytest.mark.parametrize( "cp", [ x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), [u"http://other.com/cps"] ) ]), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), None ) ]), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), [ u"http://example.com/cps", u"http://other.com/cps", x509.UserNotice( x509.NoticeReference(u"my org", [1, 2, 3, 4]), u"thing" ) ] ) ]), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), [ u"http://example.com/cps", x509.UserNotice( x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]), u"We heart UTF8!\u2122" ) ] ) ]), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), [x509.UserNotice(None, u"thing")] ) ]), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), [ x509.UserNotice( x509.NoticeReference(u"my org", [1, 2, 3, 4]), None ) ] ) ]) ] ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_certificate_policies(self, cp, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( cp, critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( x509.OID_CERTIFICATE_POLICIES ) assert ext.value == cp @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_issuer_alt_name(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( x509.IssuerAlternativeName([ x509.DNSName(u"myissuer"), x509.RFC822Name(u"email@domain.com"), ]), critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.ISSUER_ALTERNATIVE_NAME ) assert ext.critical is False assert ext.value == x509.IssuerAlternativeName([ x509.DNSName(u"myissuer"), x509.RFC822Name(u"email@domain.com"), ]) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_extended_key_usage(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH, ExtendedKeyUsageOID.CODE_SIGNING, ]), critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) eku = cert.extensions.get_extension_for_oid( ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH, ExtendedKeyUsageOID.CODE_SIGNING, ]) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_inhibit_any_policy(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( x509.InhibitAnyPolicy(3), critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.INHIBIT_ANY_POLICY ) assert ext.value == x509.InhibitAnyPolicy(3) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_name_constraints(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) excluded = [x509.DNSName(u"name.local")] nc = x509.NameConstraints( permitted_subtrees=None, excluded_subtrees=excluded ) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( nc, critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.NAME_CONSTRAINTS ) assert ext.value == nc @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_key_usage(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ).public_key( subject_private_key.public_key() ).serial_number( 123 ).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False ), critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_ca_request_with_path_length_none(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=None), critical=True ).sign(private_key, hashes.SHA1(), backend) loaded_request = x509.load_pem_x509_csr( request.public_bytes(encoding=serialization.Encoding.PEM), backend ) subject = loaded_request.subject assert isinstance(subject, x509.Name) basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.path_length is None @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=RSABackend) def test_sign_invalid_hash_algorithm(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([]) ) with pytest.raises(TypeError): builder.sign(private_key, 'NotAHash', backend) @pytest.mark.requires_backend_interface(interface=RSABackend) def test_no_subject_name(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256(), backend) @pytest.mark.requires_backend_interface(interface=RSABackend) def test_build_ca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ] basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @pytest.mark.requires_backend_interface(interface=RSABackend) def test_build_ca_request_with_unicode(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign(private_key, hashes.SHA1(), backend) loaded_request = x509.load_pem_x509_csr( request.public_bytes(encoding=serialization.Encoding.PEM), backend ) subject = loaded_request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), ] @pytest.mark.requires_backend_interface(interface=RSABackend) def test_build_nonca_request_with_rsa(self, backend): private_key = RSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) def test_build_ca_request_with_ec(self, backend): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, ec.EllipticCurvePublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ] basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @pytest.mark.requires_backend_interface(interface=DSABackend) def test_build_ca_request_with_dsa(self, backend): if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000: pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") private_key = DSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, dsa.DSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 def test_add_duplicate_extension(self): builder = x509.CertificateSigningRequestBuilder().add_extension( x509.BasicConstraints(True, 2), critical=True, ) with pytest.raises(ValueError): builder.add_extension( x509.BasicConstraints(True, 2), critical=True, ) def test_set_invalid_subject(self): builder = x509.CertificateSigningRequestBuilder() with pytest.raises(TypeError): builder.subject_name('NotAName') def test_add_invalid_extension_type(self): builder = x509.CertificateSigningRequestBuilder() with pytest.raises(TypeError): builder.add_extension(object(), False) def test_add_unsupported_extension(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( DummyExtension(), False ) with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA256(), backend) def test_key_usage(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False ), critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, content_commitment=True, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=False ) def test_key_usage_key_agreement_bit(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.KeyUsage( digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=True, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=True ), critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=True, key_cert_sign=True, crl_sign=False, encipher_only=False, decipher_only=True ) def test_add_two_extensions(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True ).sign(private_key, hashes.SHA1(), backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) basic_constraints = request.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 ext = request.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [x509.DNSName(u"cryptography.io")] def test_set_subject_twice(self): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ) with pytest.raises(ValueError): builder.subject_name( x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ) def test_subject_alt_names(self, backend): private_key = RSA_KEY_2048.private_key(backend) csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), x509.NameAttribute( NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' ) ])), x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), x509.IPAddress(ipaddress.ip_address(u"ff::")), x509.OtherName( type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), value=b"0\x03\x02\x01\x05" ), x509.RFC822Name(u"test@example.com"), x509.RFC822Name(u"email"), x509.RFC822Name(u"email@em\xe5\xefl.com"), x509.UniformResourceIdentifier( u"https://\u043f\u044b\u043a\u0430.cryptography" ), x509.UniformResourceIdentifier( u"gopher://cryptography:70/some/path" ), ]), critical=False, ).sign(private_key, hashes.SHA256(), backend) assert len(csr.extensions) == 1 ext = csr.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert not ext.critical assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME assert list(ext.value) == [ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), x509.NameAttribute( NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' ), ])), x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), x509.IPAddress(ipaddress.ip_address(u"ff::")), x509.OtherName( type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), value=b"0\x03\x02\x01\x05" ), x509.RFC822Name(u"test@example.com"), x509.RFC822Name(u"email"), x509.RFC822Name(u"email@em\xe5\xefl.com"), x509.UniformResourceIdentifier( u"https://\u043f\u044b\u043a\u0430.cryptography" ), x509.UniformResourceIdentifier( u"gopher://cryptography:70/some/path" ), ] def test_invalid_asn1_othername(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([ x509.OtherName( type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), value=b"\x01\x02\x01\x05" ), ]), critical=False, ) with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256(), backend) def test_subject_alt_name_unsupported_general_name(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([FakeGeneralName("")]), critical=False, ) with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256(), backend) def test_extended_key_usage(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH, ExtendedKeyUsageOID.CODE_SIGNING, ]), critical=False ).sign(private_key, hashes.SHA256(), backend) eku = request.extensions.get_extension_for_oid( ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH, ExtendedKeyUsageOID.CODE_SIGNING, ]) @pytest.mark.requires_backend_interface(interface=RSABackend) def test_rsa_key_too_small(self, backend): private_key = rsa.generate_private_key(65537, 512, backend) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ) with pytest.raises(ValueError) as exc: builder.sign(private_key, hashes.SHA512(), backend) assert str(exc.value) == "Digest too big for RSA key" @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_aia(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) aia = x509.AuthorityInformationAccess([ x509.AccessDescription( AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( aia, critical=False ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext.value == aia @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_ski(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) ski = x509.SubjectKeyIdentifier.from_public_key( subject_private_key.public_key() ) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( ski, critical=False ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_KEY_IDENTIFIER ) assert ext.value == ski @pytest.mark.parametrize( "aki", [ x509.AuthorityKeyIdentifier( b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" b"\xcbY", None, None ), x509.AuthorityKeyIdentifier( b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08" b"\xcbY", [ x509.DirectoryName( x509.Name([ x509.NameAttribute( NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( NameOID.COMMON_NAME, u"cryptography CA" ) ]) ) ], 333 ), x509.AuthorityKeyIdentifier( None, [ x509.DirectoryName( x509.Name([ x509.NameAttribute( NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( NameOID.COMMON_NAME, u"cryptography CA" ) ]) ) ], 333 ), ] ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_aki(self, aki, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( aki, critical=False ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext.value == aki def test_ocsp_nocheck(self, backend): issuer_private_key = RSA_KEY_2048.private_key(backend) subject_private_key = RSA_KEY_2048.private_key(backend) not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( x509.OCSPNoCheck(), critical=False ).not_valid_before( not_valid_before ).not_valid_after( not_valid_after ) cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( ExtensionOID.OCSP_NO_CHECK ) assert isinstance(ext.value, x509.OCSPNoCheck) @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestDSACertificate(object): def test_load_dsa_cert(self, backend): cert = _load_cert( os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), x509.load_pem_x509_certificate, backend ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) public_key = cert.public_key() assert isinstance(public_key, dsa.DSAPublicKey) num = public_key.public_numbers() assert num.y == int( "4c08bfe5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa94" "53b6656f13e543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2" "dea559f0b584c97a2b235b9b69b46bc6de1aed422a6f341832618bcaae2" "198aba388099dafb05ff0b5efecb3b0ae169a62e1c72022af50ae68af3b" "033c18e6eec1f7df4692c456ccafb79cc7e08da0a5786e9816ceda651d6" "1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386" "b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2" "002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632" "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16 ) assert num.parameter_numbers.g == int( "4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67" "d789d99770aec32c0415dc92970880872da45fef8dd1e115a3e4801387b" "a6d755861f062fd3b6e9ea8e2641152339b828315b1528ee6c7b79458d2" "1f3db973f6fc303f9397174c2799dd2351282aa2d8842c357a73495bbaa" "c4932786414c55e60d73169f5761036fba29e9eebfb049f8a3b1b7cee6f" "3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a" "1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0" "b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76" "fa6247676a6d3ac945844a083509c6a1b436baca", 16 ) assert num.parameter_numbers.p == int( "bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3" "af1c73d16b24f34a4964781ae7e50500e21777754a670bd19a7420d6330" "84e5556e33ca2c0e7d547ea5f46a07a01bf8669ae3bdec042d9b2ae5e6e" "cf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736857971444c25d0a" "33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e03e419fd4ca4" "e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2" "2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93" "f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d" "833e36468f3907cfca788a3cb790f0341c8a31bf", 16 ) assert num.parameter_numbers.q == int( "822ff5d234e073b901cf5941f58e1f538e71d40d", 16 ) def test_signature(self, backend): cert = _load_cert( os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), x509.load_pem_x509_certificate, backend ) assert cert.signature == binascii.unhexlify( b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326" b"86bdf925716b4ed059184396bcce" ) r, s = decode_dss_signature(cert.signature) assert r == 215618264820276283222494627481362273536404860490 assert s == 532023851299196869156027211159466197586787351758 def test_tbs_certificate_bytes(self, backend): cert = _load_cert( os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), x509.load_pem_x509_certificate, backend ) assert cert.tbs_certificate_bytes == binascii.unhexlify( b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033" b"067310b3009060355040613025553310e300c06035504081305546578617331" b"0f300d0603550407130641757374696e3121301f060355040a1318496e74657" b"26e6574205769646769747320507479204c7464311430120603550403130b50" b"79434120445341204341301e170d3134313132373035313431375a170d31343" b"13232373035313431375a3067310b3009060355040613025553310e300c0603" b"55040813055465786173310f300d0603550407130641757374696e3121301f0" b"60355040a1318496e7465726e6574205769646769747320507479204c746431" b"1430120603550403130b50794341204453412043413082033a3082022d06072" b"a8648ce380401308202200282010100bfade6048e373cd4e48b677e878c8e5b" b"08c02102ae04eb2cb5c46a523a3af1c73d16b24f34a4964781ae7e50500e217" b"77754a670bd19a7420d633084e5556e33ca2c0e7d547ea5f46a07a01bf8669a" b"e3bdec042d9b2ae5e6ecf49f00ba9dac99ab6eff140d2cedf722ee62c2f9736" b"857971444c25d0a33d2017dc36d682a1054fe2a9428dda355a851ce6e6d61e0" b"3e419fd4ca4e703313743d86caa885930f62ed5bf342d8165627681e9cc3244" b"ba72aa22148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56d" b"a93f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d8" b"33e36468f3907cfca788a3cb790f0341c8a31bf021500822ff5d234e073b901" b"cf5941f58e1f538e71d40d028201004b7ced71dc353965ecc10d441a9a06fc2" b"4943a32d66429dd5ef44d43e67d789d99770aec32c0415dc92970880872da45" b"fef8dd1e115a3e4801387ba6d755861f062fd3b6e9ea8e2641152339b828315" b"b1528ee6c7b79458d21f3db973f6fc303f9397174c2799dd2351282aa2d8842" b"c357a73495bbaac4932786414c55e60d73169f5761036fba29e9eebfb049f8a" b"3b1b7cee6f3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c" b"64130a1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425" b"c0b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76fa" b"6247676a6d3ac945844a083509c6a1b436baca0382010500028201004c08bfe" b"5f2d76649c80acf7d431f6ae2124b217abc8c9f6aca776ddfa9453b6656f13e" b"543684cd5f6431a314377d2abfa068b7080cb8ddc065afc2dea559f0b584c97" b"a2b235b9b69b46bc6de1aed422a6f341832618bcaae2198aba388099dafb05f" b"f0b5efecb3b0ae169a62e1c72022af50ae68af3b033c18e6eec1f7df4692c45" b"6ccafb79cc7e08da0a5786e9816ceda651d61b4bb7b81c2783da97cea62df67" b"af5e85991fdc13aff10fc60e06586386b96bb78d65750f542f86951e05a6d81" b"baadbcd35a2e5cad4119923ae6a2002091a3d17017f93c52970113cdc119970" b"b9074ca506eac91c3dd376325df4af6b3911ef267d26623a5a1c5df4a6d13f1" b"ca381cc3081c9301d0603551d0e04160414a4fb887a13fcdeb303bbae9a1dec" b"a72f125a541b3081990603551d2304819130818e8014a4fb887a13fcdeb303b" b"bae9a1deca72f125a541ba16ba4693067310b3009060355040613025553310e" b"300c060355040813055465786173310f300d0603550407130641757374696e3" b"121301f060355040a1318496e7465726e657420576964676974732050747920" b"4c7464311430120603550403130b5079434120445341204341820900a37352e" b"0b2142f86300c0603551d13040530030101ff" ) verifier = cert.public_key().verifier( cert.signature, cert.signature_hash_algorithm ) verifier.update(cert.tbs_certificate_bytes) verifier.verify() @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestDSACertificateRequest(object): @pytest.mark.parametrize( ("path", "loader_func"), [ [ os.path.join("x509", "requests", "dsa_sha1.pem"), x509.load_pem_x509_csr ], [ os.path.join("x509", "requests", "dsa_sha1.der"), x509.load_der_x509_csr ], ] ) def test_load_dsa_request(self, path, loader_func, backend): request = _load_cert(path, loader_func, backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA1) public_key = request.public_key() assert isinstance(public_key, dsa.DSAPublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ] def test_signature(self, backend): request = _load_cert( os.path.join("x509", "requests", "dsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request.signature == binascii.unhexlify( b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e" b"ce95de17273f0a924df23ce9d8188" ) def test_tbs_certrequest_bytes(self, backend): request = _load_cert( os.path.join("x509", "requests", "dsa_sha1.pem"), x509.load_pem_x509_csr, backend ) assert request.tbs_certrequest_bytes == binascii.unhexlify( b"3082021802010030573118301606035504030c0f63727970746f677261706879" b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331" b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e" b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284" b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad" b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30" b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3" b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b" b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f" b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6" b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352" b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4" b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6" b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c" b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878" b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba" b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000" ) verifier = request.public_key().verifier( request.signature, request.signature_hash_algorithm ) verifier.update(request.tbs_certrequest_bytes) verifier.verify() @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestECDSACertificate(object): def test_load_ecdsa_cert(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) cert = _load_cert( os.path.join("x509", "ecdsa_root.pem"), x509.load_pem_x509_certificate, backend ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA384) public_key = cert.public_key() assert isinstance(public_key, ec.EllipticCurvePublicKey) num = public_key.public_numbers() assert num.x == int( "dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f" "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16 ) assert num.y == int( "ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7" "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16 ) assert isinstance(num.curve, ec.SECP384R1) def test_signature(self, backend): cert = _load_cert( os.path.join("x509", "ecdsa_root.pem"), x509.load_pem_x509_certificate, backend ) assert cert.signature == binascii.unhexlify( b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085" b"a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50" b"dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e2" b"9ae55b7cb32717" ) r, s = decode_dss_signature(cert.signature) assert r == int( "adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32" "de66930ff1ccb1098fdd6cabfa6b7fa0", 16 ) assert s == int( "39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a" "a98ac5d100bdf854e29ae55b7cb32717", 16 ) def test_tbs_certificate_bytes(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) cert = _load_cert( os.path.join("x509", "ecdsa_root.pem"), x509.load_pem_x509_certificate, backend ) assert cert.tbs_certificate_bytes == binascii.unhexlify( b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082" b"a8648ce3d0403033061310b300906035504061302555331153013060355040a" b"130c446967694365727420496e6331193017060355040b13107777772e64696" b"769636572742e636f6d3120301e06035504031317446967694365727420476c" b"6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3" b"338303131353132303030305a3061310b300906035504061302555331153013" b"060355040a130c446967694365727420496e6331193017060355040b1310777" b"7772e64696769636572742e636f6d3120301e06035504031317446967694365" b"727420476c6f62616c20526f6f742047333076301006072a8648ce3d0201060" b"52b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34" b"eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf8" b"42e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb5" b"43ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101f" b"f300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4" b"f9a1c5d8ae3641cc1163696229bc4bc6" ) verifier = cert.public_key().verifier( cert.signature, ec.ECDSA(cert.signature_hash_algorithm) ) verifier.update(cert.tbs_certificate_bytes) verifier.verify() def test_load_ecdsa_no_named_curve(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) cert = _load_cert( os.path.join("x509", "custom", "ec_no_named_curve.pem"), x509.load_pem_x509_certificate, backend ) with pytest.raises(NotImplementedError): cert.public_key() @pytest.mark.requires_backend_interface(interface=X509Backend) @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) class TestECDSACertificateRequest(object): @pytest.mark.parametrize( ("path", "loader_func"), [ [ os.path.join("x509", "requests", "ec_sha256.pem"), x509.load_pem_x509_csr ], [ os.path.join("x509", "requests", "ec_sha256.der"), x509.load_der_x509_csr ], ] ) def test_load_ecdsa_certificate_request(self, path, loader_func, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) request = _load_cert(path, loader_func, backend) assert isinstance(request.signature_hash_algorithm, hashes.SHA256) public_key = request.public_key() assert isinstance(public_key, ec.EllipticCurvePublicKey) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ] def test_signature(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) request = _load_cert( os.path.join("x509", "requests", "ec_sha256.pem"), x509.load_pem_x509_csr, backend ) assert request.signature == binascii.unhexlify( b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1" b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5" b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463" b"347fe2382d1751" ) def test_tbs_certrequest_bytes(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) request = _load_cert( os.path.join("x509", "requests", "ec_sha256.pem"), x509.load_pem_x509_csr, backend ) assert request.tbs_certrequest_bytes == binascii.unhexlify( b"3081d602010030573118301606035504030c0f63727970746f6772617068792" b"e696f310d300b060355040a0c0450794341310b300906035504061302555331" b"0e300c06035504080c055465786173310f300d06035504070c0641757374696" b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3" b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e" b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f" b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000" ) verifier = request.public_key().verifier( request.signature, ec.ECDSA(request.signature_hash_algorithm) ) verifier.update(request.tbs_certrequest_bytes) verifier.verify() @pytest.mark.requires_backend_interface(interface=X509Backend) class TestOtherCertificate(object): def test_unsupported_subject_public_key_info(self, backend): cert = _load_cert( os.path.join( "x509", "custom", "unsupported_subject_public_key_info.pem" ), x509.load_pem_x509_certificate, backend, ) with pytest.raises(ValueError): cert.public_key() class TestNameAttribute(object): def test_init_bad_oid(self): with pytest.raises(TypeError): x509.NameAttribute(None, u'value') def test_init_bad_value(self): with pytest.raises(TypeError): x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), b'bytes' ) def test_eq(self): assert x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), u'value' ) == x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), u'value' ) def test_ne(self): assert x509.NameAttribute( x509.ObjectIdentifier('2.5.4.3'), u'value' ) != x509.NameAttribute( x509.ObjectIdentifier('2.5.4.5'), u'value' ) assert x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), u'value' ) != x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), u'value2' ) assert x509.NameAttribute( x509.ObjectIdentifier('2.999.2'), u'value' ) != object() def test_repr(self): na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value') if six.PY3: assert repr(na) == ( ", value='value')>" ) else: assert repr(na) == ( ", value=u'value')>" ) class TestObjectIdentifier(object): def test_eq(self): oid1 = x509.ObjectIdentifier('2.999.1') oid2 = x509.ObjectIdentifier('2.999.1') assert oid1 == oid2 def test_ne(self): oid1 = x509.ObjectIdentifier('2.999.1') assert oid1 != x509.ObjectIdentifier('2.999.2') assert oid1 != object() def test_repr(self): oid = x509.ObjectIdentifier("2.5.4.3") assert repr(oid) == "" oid = x509.ObjectIdentifier("2.999.1") assert repr(oid) == "" def test_name_property(self): oid = x509.ObjectIdentifier("2.5.4.3") assert oid._name == 'commonName' oid = x509.ObjectIdentifier("2.999.1") assert oid._name == 'Unknown OID' def test_too_short(self): with pytest.raises(ValueError): x509.ObjectIdentifier("1") def test_invalid_input(self): with pytest.raises(ValueError): x509.ObjectIdentifier("notavalidform") def test_invalid_node1(self): with pytest.raises(ValueError): x509.ObjectIdentifier("7.1.37") def test_invalid_node2(self): with pytest.raises(ValueError): x509.ObjectIdentifier("1.50.200") def test_valid(self): x509.ObjectIdentifier("0.35.200") x509.ObjectIdentifier("1.39.999") x509.ObjectIdentifier("2.5.29.3") x509.ObjectIdentifier("2.999.37.5.22.8") x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995") class TestName(object): def test_eq(self): name1 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) assert name1 == name2 def test_ne(self): name1 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), ]) assert name1 != name2 assert name1 != object() def test_hash(self): name1 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name3 = x509.Name([ x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), ]) assert hash(name1) == hash(name2) assert hash(name1) != hash(name3) def test_repr(self): name = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ]) if six.PY3: assert repr(name) == ( ", value='cryptography.io')>, , valu" "e='PyCA')>])>" ) else: assert repr(name) == ( ", value=u'cryptography.io')>, , val" "ue=u'PyCA')>])>" )